On-line communication often involves one party supplying credentials to another party for the purpose of authenticating those credentials. In this regard, credentials are generally defined as anything used to identify an entity, user, system, or principal, and typically includes data related to what the entity knows, what the entity has, and/or what the entity is.
In the context of distributed electronic systems, a credential might typically include a digital representation of a physical credential. For example, an individual's fingerprint might be a credential, but in a biometric-based system some rendering of the fingerprint is converted to digital form to produce the biometric credential. When a credential is biometric, the creation of the digital credential entails a digitization process which relies on an interface system, such as a fingerprint reader. Other interface systems include, for example, smart card readers, keyboards, display screens, and/or the like.
Credential validation is often employed by secure systems that limit access to that system's functionality based on the identity of a principal. Typically, only those principals who have been specifically authenticated and granted access may use a secure system. Thus, credential validation may be an important part of authentication. In some systems, a principal provides separate information for identification and credentials—for example, a user ID and a password. In other systems, the credentials are used to deduce the identity of the user.
In a simple, non-distributed environment, the principal usually provides credentials directly to the secure system to which access is desired. The system may optionally include an interface system. The system often follows an algorithmic procedure to validate the credentials, and during the process of authentication, the credentials may be transmitted through software and/or other components of the secure system, including the interface system, and may also be stored in some digital form within the system. For example, the credentials may be stored in the computer's random access memory (RAM), and/or memory that has been swapped onto any other recordable media by the operating system.
When using such a system, the principal often trusts the ability of the system to protect the credentials from identity theft, wherein identity theft refers to the act of a fraudulent entity obtaining information, typically credentials, that allows the identity thief to pose as some other principal. For example, an ID and password could be used in order to pose as the principal to whom the ID and credential were originally issued. The risks of identity theft usually fall into four general categories: trustworthiness of the receiving system, domain of acceptance, weighted risk in domain of acceptance, and domain risk similarity.
The trustworthiness of the receiving system often relates to the ability of a receiving system to rebuff both intentional and unintentional dissemination of credentials, wherein the receiving system is a specific secure system to which a credential set is provided by a principal. For example, a system that stores IDs and passwords in a plaintext database on a publicly available and possibly hack-able public server would typically not be considered trustworthy.
Domain of acceptance typically refers to the number of systems that accept a credential set. The larger the domain of acceptance, the larger the potential risk. For example, theft of a password used by a principal to access a single system would be less damaging than theft of a password that is used for many systems. Theft of a social security number (especially in combination with other information, such as address history) can be especially damaging, as social security numbers have a very broad domain of acceptance. It is important to recognize that the damage due to theft of credentials may span the entire domain of acceptance and not just the receiving system from which the credentials were taken.
Weighted Risk in Domain of Acceptance typically refers to the fact that the amount of risk correlates not just to the number of systems that accept a credential set, but also to the collective damage that could be done within that domain. An ID and password for six non-transactional merchants would exhibit less risk than an ID and password to a single transactional merchant where on-line purchases could be billed to a payment vehicle. The weighted risk usually represents the potential damage in the domain of acceptance, and may be viewed as the summation of the product of cost and probability of each risk event within the domain.
Domain Risk Similarity often relates to whether and to what extent weighted risk is distributed equally across each of the receiving systems in the domain of acceptance. The difficulty in compromising each system, and of stealing a credential set, is similar across each system exhibiting domain risk similarity. For example, it would be poor practice to include a social security number to simply browse a website, given that other systems that use social security number have significantly higher weighted risk. A consequence is that users would be reluctant to use such a site.
Distributed systems usually pose special risks in trustworthiness of the receiving system and domain of acceptance. Some distributed systems use distinct machines or subsystems to perform credential validation, i.e., authentication servers. As such, the receiving system into which credentials are entered is different than the credential validating system. There are distinct architectural and security advantages to computer systems that utilize authentication servers to validate credentials. However, this configuration includes passage of information between the receiving system and the validating system. This passage of information can increase risk and hence reduce the trustworthiness of the receiving system. For example, if a plaintext ID and password are passed from a web browser to a web server on the public Internet, there is considerable risk. This risk is often referred to as transmission eavesdropper risk.
Transmission eavesdropper risk addresses concerns over what happens to credentials when they are passed across a network. However, risk should be analyzed by looking at where and in what form credentials exist at all times and places within the overall system. For example, encryption of credentials during transmission to the authentication system does not protect against theft of unencrypted data in a compromised database server. And even if the database fields are encrypted, an unscrupulous technician might steal credentials and perpetrate identity theft if plaintext credentials exist anywhere in the receiving or validating systems.
Furthermore, theft from systems risk is often overlooked, and protection against this kind of theft is a major shortcoming of prior art systems. As digital identities are gaining widespread usage on the Internet, separation of receiving system and validating system is also becoming more widespread. At the same time, biometric credentials are increasingly viewed as a valuable way to minimize risks in authentication. A major problem not sufficiently addressed by the prior art is how to provide credentials in a biometric-based, distributed, authentication environment that provides very high resistance to identity theft. Moreover, there are certain classes of credentials (for example, biometric credentials) whose characteristics lead to security threats when supporting distributed authentication.
The present trend in authentication is to standardize on a small set of credentials with a large domain of acceptance. Furthermore, there is a growing interest in the use of biometric credentials. However, the introduction of biometric credentials into a distributed environment creates a new problem that has not been previously encountered.
Principals and related entities have a strong desire to prevent identity theft. Theft of a credit card account password for a user might result in fraudulent charges on the user's account. Theft of a digital certificate used by an online service might result in fraudulent transactions. There are a number of practices that protect against eavesdropper and systems theft risks. Credentials are often encrypted during transmission to prevent eavesdropping, for example, through the use of SSL during web login. Similarly, credentials are often encrypted in underlying authentication server databases to reduce the risk of systems theft if a database server is hacked or otherwise compromised. Credentials may also be encrypted, hashed, masked, and/or otherwise altered at the point of entry. For example, password entry fields are usually masked so as to be unreadable by someone looking over the shoulder of a user. Traditional UNIX logon performs a one way hash on a password after it has been entered. Some systems, such as fingerprint-based authenticators, are closed systems that are completely self-contained and do not pass credential data outside of the authentication system hardware.
Analysis of the risk of systems theft often includes an understanding of the core processes that involve credentials and the ways in which credentials are represented. Specifically, if at any point in the processing of a credential, either as stored in a system of record or as provided from the principal, the credential is represented explicitly or in a way that can be algorithmically transformed, and this representation of the credential would be accepted by the receiving system or any system in the domain of acceptance, then there is a risk.
On-line access usually includes a series of basic processes. The first process is typically registration, wherein a new user is added to the database of the underlying authentication, possibly using some initial credentials. For example, new users may be assigned an initial password so that they can log on to the system. In the case of biometric authentication, initial biometric credentials may be collected and entered into the authentication system. This process will typically either store the digital credentials in the database, or store them in the database in some modified form. The second core process is usually authentication, which entails credential validation and as discussed above, may also entail identification of the user. Other processes include maintenance, which is supported under some systems and which allows a user to modify credentials, and revocation, which removes or inactivates a user's credentials in the underlying authentication system.
With respect to credential validation, the authentication process typically proceeds as follows. First, presented credentials are provided by the receiving system and may be represented in some modified form. To distinguish this modified form from the raw form, such credentials are referred to herein as modified presented credentials. For example, there may be an authentication application programming interface (API) that accepts a user ID and one-way hashed password, and which returns an access control list for the user. Identification is also suitably provided by the receiving system. The validation then uses the identification to retrieve information from an underlying data store which typically includes some form of the credentials. These will be referred to herein as modified stored credentials. At the time of registration or maintenance, the user will have supplied stored credentials that were then converted to the modified stored credentials. Note that there are other variants of this approach, but most prior art systems are similar. Ultimately, the validation process seeks to determine whether presented credentials are consistent with the stored credentials. In order to do so, the algorithmic procedure accepts as input the modified presented credentials and the modified stored credentials.
Given this approach, there are several variations that are seen in the industry today. Raw Equivalence—the simplest and riskiest approach—is where there is no modification of credentials, e.g., plain text passwords. That is, the modified presented credentials are equivalent to the presented credentials, and the modified stored credentials are equivalent to the stored credentials. The algorithmic procedure involves a simple equality test: If the modified presented credentials are equal to the modified stored credentials, then the presented credentials are considered consistent with the stored credentials.
One-way hash equivalence is a much improved approach that uses a special algorithm called a one-way hash. A one-way hash is easy to compute from an input, but the original input is impossible to compute from the output. The algorithm is applied to the stored credential to obtain the modified stored credential at the time of registration or maintenance. The same algorithm is then applied to the presented credential to obtain the modified presented credential during validation. Once again, the algorithmic procedure is a simple equality test: If the modified presented credentials are equal to the modified stored credentials, then the presented credentials are considered consistent with the stored credentials. This approach is employed under the UNIX operating system, and makes the system resistant to system theft as the password of a user never exists in unmodified form on the system. One additional characteristic is important to the successful reduction of risk—the one way hash uses a shared secret that is exchanged between the receiving system and authentication system. In this way, an eavesdropper could not replay the submission of an ID and modified presented credential to gain access.
Cryptographic Equivalence is a variation on one-way hash equivalence which uses crytographic means, such as, for example, digital signature with an asymmetric key, to modify credentials. Again, equality comparison is usually used for validation and credentials might typically include X.509 certificates, which are based on asymmetric key cryptography. In general, one-way hash and cryptographic mechanisms described above rely on an algorithm that has two properties: (1) it is easy to compute in one direction only; and (2) its application includes additional information known only to the receiving system and authentication system.
In general, this class of approach will be referred to herein as One-Way approaches, and the above two schemes can be generalized as One-Way Equivalence. Approaches that are not one-way, i.e., those that do not modify credentials, will be referred to herein as Raw.
Determination of consistency between the presented credentials and the stored credentials in biometric authentication does not typically, however, use simple equivalence. Biometric credentials usually consist of a sometimes large set of data collection points, such as light density or electrical capacitance over a two dimensional array. Biometric credentials may be transformed by various feature-extracting algorithms, but will still consist of a collection of data points. The significance of the data points is that there is not typically an exact match between the presented credentials and the stored credentials. Whereas comparing passwords is simply an equality test, comparing two representations of scanned fingerprints, retinas, handwriting, and/or the like, is complex, algorithmic, and inexact.
Pattern matching algorithms are employed to compare biometric data sets, and typically consist of feature extraction followed by scoring of matched features. When the score exceeds a prescribed threshold, then the presented credentials are considered to be consistent with the stored credentials. The crucial observation about this type of credential is that the test for consistency is not equivalence. As used herein, when distinguishing such a comparison from equivalence, it will be designated non-equivalent consistency.
Raw consistency often occurs when the modified presented credentials are equivalent to the presented credentials and the modified stored credentials are equivalent to the stored credentials. The algorithmic procedure tests for consistency by some means other than equality, presumably performing pattern matching with some similarity threshold. A variation on raw consistency allows initial feature extraction to create the credential set from the raw biometric input. Raw approaches therefore have inherent systems theft risk. An individual may steal credentials if he or she gains access to an authentication system. Moreover, the owner of the system might choose to use the credentials in ways that the provider of the credentials does not wish. In accordance with known prior art systems, biometrics are, for the most part, only usable in the raw approach. For example, minute variations in the generation of a fingerprint scan will often cause two scans from the same finger to never be identical. Therefore, the system that performs the validation includes unmodified credential sets to perform the consistency test such that biometric based authentication systems are subject to systems theft risk.
Biometrics also exhibit another property that heightens risk and underlies the need to minimize likelihood of credential theft. Whereas a system password can be readily changed, and a user may choose to utilize many different passwords on many different systems, fingerprints and other biometrics do not change significantly. Their invariance is one of the properties that makes them useful as credentials. However, as biometric systems are increasingly adopted, the domain of acceptance grows. For example, a user can not change the images of their retinas, so the domain of acceptance would be the same size as the number of systems employing retinal scan authentication. This is in contrast to password or digital certificate authentication, where different credential sets can be employed for different systems, even though those systems employ the same type of credentials. And even in the case where the same credential is employed for different systems, passwords and certificates can be protected by a one-way algorithm as described above. In summary, biometrics pose special risks due to potentially large domain of acceptance and reliance on a raw validation approach.
From the perspective of a user, a security-savvy entity may choose not to provide credentials to systems that can not assure them positively that the system can prevent undesired use of credentials, whether intentional or unintentional. Conventional systems often do not employ biometric credentials, and can follow the one-way equivalence approach described above to achieve minimal systems theft risk. On the other hand, conventional systems that use biometric credentials employ the raw consistency approach defined above. As such they often exhibit systems theft risk.
Biometric systems may often be self-contained, incorporating the credential database into the same hardware as the biometric interface, or at least integrating the system components in a way that would make theft of data very difficult. Physical security can also be relied upon in such a system as surveillance and physical security personnel can reduce likelihood of tampering with such systems. When the systems are not self-contained, the risk associated with raw credential validation can be mitigated by providing higher security around the authentication server. For example, a physical access control system for a building might use a centralized authentication server that is not connected to the Internet. Although users who provide their credentials to the interface systems are in fact at some slight risk of credential theft, they are comfortable in their belief that their credentials will not be transmitted outside of the closed security system. In applications where validation by raw consistency is desired (typically but not necessarily biometrics), encryption and special attention to systems design can mitigate risk of systems theft. Transmission eavesdropper risk can be sufficiently mitigated by encryption such as SSL. However, the systems theft risk can not be completely obviated so long as an unmodified form of the credential set is desired for consistency testing.
Systems and methods are therefore needed to overcome these and other shortcomings of the prior art.